June 2012 - Posts

I was reading an article at the New York Times online on passwords (and their "dreaded security questions" such as "In what city were you born?") and how they are impossible to keep straight. This being the Fashion & Style section (whodda thunk it? Data security issues covered in the fashion section of the Gray Lady?), a bunch of celebrities and captains of industry and other people of importance were interviewed.

For a creative bunch, they're quite literal-minded:

"It'd be fine if [the security question] was my mother's maiden name," Mr. Leeds [the president of Leeds Equity and a fixture on the New York social scene] said. "That is different from 'What is the name of your first girlfriend?' You think: 'Well, what do you mean by girlfriend? Is that the first woman I ever slept with, or someone I liked who never particularly liked me back?' It's a march through your entire personal history just to get on some damn Web site which will deliver your groceries."

Ok, so, literal-minded sprinkled with a bit of existentialism. Also,

[Mr. Paul Rudnick, a writer] also finds the questions misguided. "They should go negative," he suggested. "What's your least favorite color, who's your least favorite relative and who's the last person on earth you would date? People would remember those questions, and they'd enjoy answering them far more."

Learning from the Dirty Dozen

More specifically, learning from Joseph Wladislaw. Who's Joseph Wladislaw? you may ask. That's Charles Bronson's character in The Dirty Dozen, a story about twelve convicts that are recruited and trained as a saboteur unit against Nazi Germany on the eve of the D-Day landings.

While reading the NYT article, and seeing how interviewees were being so literal-minded about the security questions, I was reminded of the one scene where a doctor tries a word association game with Wladislaw:

Yes, the answers make no sense in light of the "questions." Now, from a psychological perspective, this might mean....I don't know, that there is something wrong with the person being assessed. However, in this day and age of the social web, it might help a bit to be a little crazy. Or at least, not to take things so literally.

For example, where were you born? Why does it have to be NYC, or London, or, Burkina Faso? Why not Andromeda or the Crab Nebula? Or fish? The last one, of course, is approaching surrealism, but there's absolutely no reason why you shouldn't use "Wladislawian" answers when it comes to answers that no mortal will ever be looking at (as far as I know, these "answers" are stored in a server somewhere and hashed, like passwords).

So, don't be literal-minded when choosing answers to security questions. Just make sure you're consistent in how you apply it.

Will it work in making you safer? Let me put it this way: Wladislaw is the only one of the Dozen that made it out alive in end.

Towards Employment -- a non-profit organization in Cleveland, Ohio that helps people find jobs -- has announced that a laptop with names and SSNs of 26,000 people was stolen last month. It appears that full disk encryption like AlertBoot was not used to secure the data. The breach affects 260,000 people.

Data Spans 36 Years

According to a commentator at cleveland.com, Towards Employment has offered

job-placement services to low-income people since 1976 and to former convicts since 2004. So, over the past 36 years, it has helped more than 100,000 people. Of those, about 26,000 had their social security numbers, names and addresses in the database.

It was noted that the laptop was password protected, but that "it is possible that someone could still gain access to the personal information." The word "possible" here is an understatement. It's not "possible" as in "a one in a million chance is still a possibility." Rather, "possible" denotes "ease" as in "it's possible to substitute the mashed potato with grilled vegetables."

Towards Employment has made some internal changes in light of the laptop theft. First, it's not collecting Social Security numbers anymore. Second, it purged the SSNs already collected, substituting them with the last four digits of the SSN. Well, I think the records were purged, and I certainly hope that my assumption holds up. Otherwise, there's always the possibility for the non-profit to experience another breach of sensitive, personal data.

Data Security: Why After the Fact?

The story of an agency having a data breach, non-profit or otherwise, is not news. Neither is the fact that they step up their security after they suffer a data breach (as if that'll somehow magically wipe the SSNs held by potentially criminal third parties).

Now, I can understand this at a certain level: sometimes it takes a massive amount of negative publicity to secure funds. But, in this particular case even that doesn't make sense. As far as I can tell, the agency decided to stop collecting information, as opposed to upgrading their data security by employing encryption software for laptops.

(Plus, I'm not sure I understand why they stopped collecting SSNs but decided to truncate existing ones. Wouldn't it also make sense to wipe that data completely?)

Not collecting data is a perfectly good way of protecting oneself against a data breach. But why wait until you have a breach?

The world of mobile phone security certainly is more interesting than that of laptops and desktop computers. If you haven't heard, there is a now an app for skimming information from NFC cards via a smartphone. The technology is apparently so new that some people have problems understanding what it does:

The "paycardreader" app lets thieves "skim the card numbers and dates, along with transactions and merchant IDs" of nearby people's phones. Both hacker and victim must have NFC-smartphones equipped in order for the app to work. [mobiledia.com]

As I understand it, this is not the case at all. What the app does is best summarized by newscientiest.com (my emphases):

Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app.

Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards.

What the app does is attack credit cards, not phones. So, if you think about it, this is not malware as we know it. Sure, it's evil software -- just like a keystroke logger can be -- but whoever downloads the app to their smartphone knows exactly why they did so. It's not a virus. It's not a trojan. It's not hiding from the user's eyes or mind; it's aiding the user.

I'm not sure where or how mobiledia.com managed to get the one detail wrong, but the rest of their article is top-notch.

A solution for this problem (well, aside from pulling the app from Google Play. Contrary to reports, it's not listed anymore in the app store, although I can only point out this fact since I'm slower in reporting the story) could be the use of a wallet especially designed to block RFID signals.

Data breaches. They come in all forms. And the Federal Trade Commission (FTC) is going after the irresponsible ones, no matter what form they take. Earlier this month, the FTC charged two companies with leaking data via P2P networks. The use of data encryption on files conceivably protects the breach of sensitive data (mind you, that's file encryption and not disk encryption we're talking about).

What is P2P and Why is it a Data Security Concern?

P2P stands for "peer to peer" and refers to a network of computers where data can be exchanged without a central server. It was the basis for music file exchanges under Napster and other similar programs. The programs proved to be extremely popular despite their "illicit" undertones.

P2P is also the foundation for Skype, the freemium, encrypted phone service that was bought by Microsoft (and led some to wonder whether it was still a true P2P program when some underlying changes were made).

In a nutshell, P2P is the underlying foundation for some of the world's most popular software packages and services which revolve around information exchange, no matter what type of information it may be.

It's also mature technology, which is why there is already a good list of P2P-related breaches. A smatter of P2P-focused breaches I've covered in the past:

Of course, using P2P software is no more vulnerable to data breaches than other ways of accidentally leaking information: email, sending faxes to the wrong recipient, etc. It's a matter of ensuring your settings are configured correctly.

Which is probably why the FTC has charged two companies -- a debt collection agency in Utah and a car dealership in Georgia -- with leaking customer data.

EPN (Checknet)

According to arstechnica.com and other sources, the FTC

alleges that the company allowed its chief operating officer "to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network."

Also, from ftc.gov (my emphases):

The agency charged that the company did not have an appropriate information security plan, failed to assess risks to the consumer information it stored, did not adequately train employees, did not use reasonable measures to enforce compliance with its security policies, such as scanning its networks to identify any P2P file-sharing applications operating on them, and did not use reasonable methods to prevent, detect and investigate unauthorized access to personal information on its networks. According to the agency, the failure to implement reasonable and appropriate data security measures was an unfair act or practice and violated federal law.

The settlement order with debt collector EPN bars misrepresentations about the privacy, security, confidentiality, and integrity of any personal information.

Franklin's Budget Car Sales (Franklin Toyota)

The second company,

sells cars and provides financing options for buyers, released information belonging to 95,000 of its customers, including names, addresses, Social Security Numbers, dates of birth, and driver's license numbers.... since 2001, the Franklin's Budget Car Sales (also known as Franklin Toyota) assured users in its privacy and data use policy statement that it maintains "physical, electronic, and procedural safe guards that comply with federal regulations to guard non public personal information." The FTC's charges stand in direct contradiction of that statement, and found that the auto dealer violated the commission's prohibition of "unfair or deceptive acts" in commerce. [arstechnica.com, my emphasis]

FTC Goes After Deceptive Practices

The FTC accuses many companies of deceptive practices. Well, technically, there isn't a way to get around that. That's a big part of the FTC's mandate is: to go after companies that engage in unfair or deceptive acts in commerce. What I mean is that the FTC has gone after many companies that have leaked data for that one reason: promising to keep data safe.

The list is a motley composition of big names and "no names." For example, you have the two companies above that, I'm assuming, most people have never heard of before. But, you also have Twitter, Rite Aid, RockYou, and MySpace.

The bottom line: if you're storing customer data -- especially if it's considered to be "sensitive" in nature -- you'd better be protecting it. Or, if you're not, at least don't promise to do so. Nobody reads those EULAs anyway, right? Right?

Riiight. The correct move, of course, is to ensure that your data security is up to par.

Whenever a car is at the center of a data breach, you can bet it's because someone left their laptop, smartphone, or other data device in the car, usually in the passenger seat, less often in the trunk. Sometimes, though, the car is the source of the data breach -- thanks to the increasing ubiquity of a vehicle's navigation and infotainment systems. Are we headed towards an era where computer drive encryption like AlertBoot needs to extend to personal vehicles?

UK's Vehicle Remarketing Association Sounds Alert

According to UK sources, the Vehicle Remarketing Association (VRA) is warning and recommending drivers that personal data in vehicles be wiped before being sold or returned to a provider. How real is the threat? According to autoblog.com:

There has already been one case of a buyer of a car tracking down the previous owner from information left on the hard disk. Fortunately, this was only to ask him some questions about the car, but the implications are clear. You wouldn't sell your laptop computer on ebay with your personal data still on it, and we all need to get used to the idea that the car is no different.

Sure, a guy who's really concerned about his cars particulars doesn't come across as much of a threat. On the other hand, you can't expect things to remain innocuous forever. After all, there are non-apocryphal stories out there about burglars stealing a car from, say, a restaurant's parking lot and using the satnav to reach the car owner's home, and burglarizing it.

And why not? I mean, aside from the ethical, moral, and legal complications. The car owner's probably on his second Martini and in no hurry to get back home. Heck, he may even opt to delay getting home and stop by the police station to file a complaint.

To Be Congratulated

I've got to extend kudos to the VRA. The truth is, most people wouldn't really think of their satnav systems or other car-based console as a source of a data breach. There are those who do program their consoles so that the car is not actually pointing home (I mean, what, are you going to get lost driving in your own neighborhood? Set "home" to your nearest 24-hour convenience store).

But, people who do so are few and far between. People answer truthfully to the question "where's home" as they do to "what's the name of your first pet?" That latter comes, you will recognize, from personal questions used to confirm your identity in the event you forget your password. Here's a security tip: memorize a random word for that and use it. That way, you can't be socially engineered out. Your pet's name might be Snuffles, but for your bank account? Then your pet's name is deoxyribonucleic acid.

New malware targeting Google's Android OS masquerades as a security app, says Kaspersky Lab. While not perfect, it's because of trojans like these that one should exercise caution when downloading apps from Google Play (formerly Android Market) and, especially, from third-party app markets.

Android Security Suite Premium

The trojan, which goes by the name of Android Security Suite Premium, is really a variant of the Zeus malware. It appeared in early June and there have been newer versions since.

The malware, according to pcworld.com:

Steals incoming text messages and sends them to hackers

Can receive commands to uninstall themselves

Can steal system information

Enable or disable malicious apps (that are already installed, seems to be the implication)